Thursday, 28 October 2010

E-Voting - How NOT to do it

In the systems I've been involved with:
  • Software - Open Source - not just the Electoral Commission has access to it, it's published on the web for anyone to verify. Operating system and compiler are also open-source.
  • Spot-Checking - Conducted by the Electoral Commission, who may invite 3rd parties such as Universities to check.
  • Background Checking - all those involved held security clearances at various levels.
  • Equipment Certification - Commercial Off-The-Shelf Hardware is used - and certified by the Electoral Commission
  • Dispute Resolution - handled by using alternate paper ballots, with Electoral Commission quarantining hardware for 3rd party inspection. In theory. as far as I know, there's been no disputes.
An electronic voting system that is not as secure as a poker machine is almost as easy to subvert as a paper ballot box.


Sevesteen said...

An electronic voting machine that is not secure is easier to subvert than a paper ballot box. A couple years ago when I was looking into it, the US systems, made by an ATM manufacturer were mostly running Windows CE and Microsoft Office. Some of them didn't keep any paper record, so there was no way to do a recount. A voting machine is at least as important as an ATM, and deserves the same level of security.

An awful lot of paranoia is justified in keeping elections secure. We had a lot of rush-job selection of machines, based on being handicapped-accessible. The rules your machines work under seem a lot more sensible.

The ones my area uses prints a paper copy that the voter can see, but the machine keeps the paper record. As far as I am concerned, that is a bare minimum, and any company proposing machines without a paper record should be permanently banned from the voting machine business.

Zimbel said...

The gaming machines with centralized reporting, etc. structures (most of them) also can (and most sites do, often by law) perform periodic automatic inspections of the software and files on board.

Also, in most jurisdictions, the ability to write to the permanent storage on board is disabled, so that all software changes go through specific controls.

There are also both locks and physical seals over access to the main boards - and best practices are the the important ones are controlled by more than one entity (say one lock is controlled by the state, and another by the owner).

In any case, while I think gaming law is a good guideline, it's not exactly what you want for voting machines - the requirements are different (for example, having direct recordings of the usage of the machines isn't viable if you want secret votes), the ability to rollback transactions is much weaker, etc.

I think the main point, though, is that at least in the U.S.A., we bought (and are buying) a bunch of machines that aren't designed to solve the vote counting, security, and fraud issues we had or will have in the future. They are more handicapped-accessible, though.

Also note that the voting machines themselves are only part of the problem/solution; a voting system (from the voter attempting to vote through the final tally) needs to be designed with attacks in mind - which include those from insiders. As one example, voting tabulators have been very vulnerable to security issues for a long time.